From 17e9d0b37cf83d0ea4dd885b11452a728e9a5419 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 09:41:31 +0000 Subject: import libssh-0.7.1-3.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f581039 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libssh-0.7.1.tar.xz diff --git a/.libssh.metadata b/.libssh.metadata new file mode 100644 index 0000000..771c2b3 --- /dev/null +++ b/.libssh.metadata @@ -0,0 +1 @@ +112fdd5c10dd508a10e3c494fc79156a5ff24751 SOURCES/libssh-0.7.1.tar.xz diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/libssh-0.7.1-fix_agent_bigendian.patch b/SOURCES/libssh-0.7.1-fix_agent_bigendian.patch new file mode 100644 index 0000000..e773525 --- /dev/null +++ b/SOURCES/libssh-0.7.1-fix_agent_bigendian.patch @@ -0,0 +1,109 @@ +--- a/libssh-0.7.2-fix_agent_bigendian.patch ++++ a/libssh-0.7.2-fix_agent_bigendian.patch +@@ -0,0 +1,105 @@ ++From 0425ac9ad0f8f1cefa12b448d31a400ced3e89b9 Mon Sep 17 00:00:00 2001 ++From: Andreas Schneider ++Date: Wed, 14 Oct 2015 20:45:49 +0200 ++Subject: [PATCH] agent: Fix agent auth on big endian machines ++ ++BUG: https://red.libssh.org/issues/204 ++ ++Signed-off-by: Andreas Schneider ++--- ++ ConfigureChecks.cmake | 1 + ++ include/libssh/priv.h | 10 ++++++++++ ++ src/agent.c | 17 +++++++++++++---- ++ 3 files changed, 24 insertions(+), 4 deletions(-) ++ ++diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake ++index c0326c2..3587b07 100644 ++--- a/ConfigureChecks.cmake +++++ b/ConfigureChecks.cmake ++@@ -56,6 +56,7 @@ check_include_file(libutil.h HAVE_LIBUTIL_H) ++ check_include_file(sys/time.h HAVE_SYS_TIME_H) ++ check_include_file(sys/param.h HAVE_SYS_PARAM_H) ++ check_include_file(arpa/inet.h HAVE_ARPA_INET_H) +++check_include_file(byteswap.h HAVE_BYTESWAP_H) ++ ++ if (WIN32) ++ check_include_files("winsock2.h;ws2tcpip.h;wspiapi.h" HAVE_WSPIAPI_H) ++diff --git a/include/libssh/priv.h b/include/libssh/priv.h ++index 95a22c6..b7a80fe 100644 ++--- a/include/libssh/priv.h +++++ b/include/libssh/priv.h ++@@ -43,6 +43,16 @@ ++ # endif ++ #endif /* !defined(HAVE_STRTOULL) */ ++ +++#ifdef HAVE_BYTESWAP_H +++#include +++#endif +++ +++#ifndef bswap_32 +++#define bswap_32(x) \ +++ ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | \ +++ (((x) & 0x0000ff00) << 8) | (((x) & 0x000000ff) << 24)) +++#endif +++ ++ #ifdef _WIN32 ++ ++ /* Imitate define of inttypes.h */ ++diff --git a/src/agent.c b/src/agent.c ++index 922d753..e520773 100644 ++--- a/src/agent.c +++++ b/src/agent.c ++@@ -382,6 +382,9 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) { ++ ssh_buffer_free(reply); ++ return -1; ++ } +++#ifdef WORDS_BIGENDIAN +++ type = bswap_32(type); +++#endif ++ ++ SSH_LOG(SSH_LOG_WARN, ++ "Answer type: %d, expected answer: %d", ++@@ -392,7 +395,7 @@ int ssh_agent_get_ident_count(struct ssh_session_struct *session) { ++ return 0; ++ } else if (type != c2) { ++ ssh_set_error(session, SSH_FATAL, ++- "Bad authentication reply message type: %d", type); +++ "Bad authentication reply message type: %u", type); ++ ssh_buffer_free(reply); ++ return -1; ++ } ++@@ -507,8 +510,8 @@ ssh_string ssh_agent_sign_data(ssh_session session, ++ ssh_buffer reply; ++ ssh_string key_blob; ++ ssh_string sig_blob; ++- int type = SSH2_AGENT_FAILURE; ++- int flags = 0; +++ unsigned int type = 0; +++ unsigned int flags = 0; ++ uint32_t dlen; ++ int rc; ++ ++@@ -572,13 +575,19 @@ ssh_string ssh_agent_sign_data(ssh_session session, ++ ssh_buffer_free(reply); ++ return NULL; ++ } +++#ifdef WORDS_BIGENDIAN +++ type = bswap_32(type); +++#endif ++ ++ if (agent_failed(type)) { ++ SSH_LOG(SSH_LOG_WARN, "Agent reports failure in signing the key"); ++ ssh_buffer_free(reply); ++ return NULL; ++ } else if (type != SSH2_AGENT_SIGN_RESPONSE) { ++- ssh_set_error(session, SSH_FATAL, "Bad authentication response: %d", type); +++ ssh_set_error(session, +++ SSH_FATAL, +++ "Bad authentication response: %u", +++ type); ++ ssh_buffer_free(reply); ++ return NULL; ++ } ++-- ++2.5.0 ++ + diff --git a/SOURCES/libssh-CVE-2016-0739.patch b/SOURCES/libssh-CVE-2016-0739.patch new file mode 100644 index 0000000..ad5247c --- /dev/null +++ b/SOURCES/libssh-CVE-2016-0739.patch @@ -0,0 +1,68 @@ +From dc2eaa017fe77e53bd9f1d4327a480d9bfe6cc6a Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis +Date: Tue, 9 Feb 2016 15:09:27 +0100 +Subject: [PATCH] dh: fix CVE-2016-0739 + +Due to a byte/bit confusion, the DH secret was too short. This file was +completely reworked and will be commited in a future version. +--- + src/dh.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/dh.c b/src/dh.c +index e489a1d..d27b66e 100644 +--- a/src/dh.c ++++ b/src/dh.c +@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) { + } + + int dh_generate_x(ssh_session session) { ++ int keysize; ++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { ++ keysize = 1023; ++ } else { ++ keysize = 2047; ++ } + session->next_crypto->x = bignum_new(); + if (session->next_crypto->x == NULL) { + return -1; + } + + #ifdef HAVE_LIBGCRYPT +- bignum_rand(session->next_crypto->x, 128); ++ bignum_rand(session->next_crypto->x, keysize); + #elif defined HAVE_LIBCRYPTO +- bignum_rand(session->next_crypto->x, 128, 0, -1); ++ bignum_rand(session->next_crypto->x, keysize, -1, 0); + #endif + + /* not harder than this */ +@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) { + + /* used by server */ + int dh_generate_y(ssh_session session) { +- session->next_crypto->y = bignum_new(); ++ int keysize; ++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { ++ keysize = 1023; ++ } else { ++ keysize = 2047; ++ } ++ session->next_crypto->y = bignum_new(); + if (session->next_crypto->y == NULL) { + return -1; + } + + #ifdef HAVE_LIBGCRYPT +- bignum_rand(session->next_crypto->y, 128); ++ bignum_rand(session->next_crypto->y, keysize); + #elif defined HAVE_LIBCRYPTO +- bignum_rand(session->next_crypto->y, 128, 0, -1); ++ bignum_rand(session->next_crypto->y, keysize, -1, 0); + #endif + + /* not harder than this */ +-- +2.7.1 + + diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec new file mode 100644 index 0000000..2457def --- /dev/null +++ b/SPECS/libssh.spec @@ -0,0 +1,210 @@ +%define _hardened_build 1 + +Name: libssh +Version: 0.7.1 +Release: 3%{?dist} +Summary: A library implementing the SSH protocol +License: LGPLv2+ +URL: http://www.libssh.org +Group: System Environment/Libraries +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +Source0: https://red.libssh.org/attachments/download/154/libssh-0.7.1.tar.xz + +Patch1: libssh-CVE-2016-0739.patch +Patch2: libssh-0.7.1-fix_agent_bigendian.patch + +BuildRequires: cmake +BuildRequires: doxygen +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: zlib-devel + +%description +The ssh library was designed to be used by programmers needing a working SSH +implementation by the mean of a library. The complete control of the client is +made by the programmer. With libssh, you can remotely execute programs, transfer +files, use a secure and transparent tunnel for your remote programs. With its +Secure FTP implementation, you can play with remote files easily, without +third-party programs others than libcrypto (from openssl). + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Requires: cmake + +%description devel +The %{name}-devel package contains libraries and header files for developing +applications that use %{name}. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 -b .libssh-0.7.2-fix_agent_bigendian.patch + +# Remove examples, they are not packaged and do not build on EPEL 5 +sed -i -e 's|add_subdirectory(examples)||g' CMakeLists.txt +rm -rf examples +sed -i -e 's| -pedantic-errors||g' cmake/Modules/DefineCompilerFlags.cmake + +%build +if test ! -e "obj"; then + mkdir obj +fi +pushd obj + +%cmake \ + %{_builddir}/%{name}-%{version} +make %{?_smp_mflags} VERBOSE=1 CFLAGS="-no-pedantic-errors" +make doc + +popd + +%install +pushd obj +make DESTDIR=%{buildroot} install +popd + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%clean +rm -rf %{buildroot} + +%files +%doc AUTHORS BSD ChangeLog COPYING README +%{_libdir}/libssh.so.* +%{_libdir}/libssh_threads.so.* + +%files devel +%doc obj/doc/html +%{_includedir}/libssh/callbacks.h +%{_includedir}/libssh/legacy.h +%{_includedir}/libssh/libssh.h +%{_includedir}/libssh/libsshpp.hpp +%{_includedir}/libssh/server.h +%{_includedir}/libssh/sftp.h +%{_includedir}/libssh/ssh2.h +%dir %{_libdir}/cmake/libssh +%{_libdir}/cmake/libssh/libssh-config-version.cmake +%{_libdir}/cmake/libssh/libssh-config.cmake +%{_libdir}/pkgconfig/libssh.pc +%{_libdir}/pkgconfig/libssh_threads.pc +%{_libdir}/libssh.so +%{_libdir}/libssh_threads.so + +%changelog +* Wed Mar 22 2017 - Dominik Perpeet - 0.7.1-3 +- Fix agent auth on big endian machines + +* Mon Feb 22 2016 - Stef Walter - 0.7.1-2 +- Security fix for CVE-2016-0739 rhbz#1305971 + +* Mon Jul 06 2015 - Stef Walter - 0.7.1-1 +- Updated to 0.7.1 release rhbz#1239085 + +* Wed Apr 22 2015 - Stef Walter - 0.6.4-4 +- Updated patch for CVE-2015-3146 + +* Wed Apr 22 2015 - Stef Walter - 0.6.4-3 +- Enable _hardened_build + +* Tue Apr 21 2015 - Stef Walter - 0.6.4-2 +- Security fix for CVE-2015-3145. + +* Wed Apr 01 2015 - Stef Walter - 0.6.4-1 +- Security fix for CVE-2014-8132. + +* Tue Mar 04 2014 - Andreas Schneider - 0.6.3-1 +- Fix CVE-2014-0017. + +* Mon Feb 10 2014 - Andreas Schneider - 0.6.1-1 +- Update to version 0.6.1. +- resolves: #1056757 - Fix scp mode. +- resolves: #1053305 - Fix known_hosts heuristic. + +* Wed Jan 08 2014 - Andreas Schneider - 0.6.0-1 +- Update to 0.6.0 + +* Fri Jul 26 2013 - Andreas Schneider - 0.5.5-1 +- Update to 0.5.5. +- Clenup the spec file. + +* Thu Jul 18 2013 Simone Caronni - 0.5.4-5 +- Add EPEL 5 support. +- Add Debian patches to enable Doxygen documentation. + +* Tue Jul 16 2013 Simone Caronni - 0.5.4-4 +- Add patch for #982685. + +* Mon Jun 10 2013 Simone Caronni - 0.5.4-3 +- Clean up SPEC file and fix rpmlint complaints. + +* Thu Feb 14 2013 Fedora Release Engineering - 0.5.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Petr Lautrbach 0.5.4-1 +- update to security 0.5.4 release +- CVE-2013-0176 (#894407) + +* Tue Nov 20 2012 Petr Lautrbach 0.5.3-1 +- update to security 0.5.3 release (#878465) + +* Thu Jul 19 2012 Fedora Release Engineering - 0.5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Feb 02 2012 Petr Lautrbach 0.5.2-1 +- update to 0.5.2 version (#730270) + +* Fri Jan 13 2012 Fedora Release Engineering - 0.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Jun 1 2011 Jan F. Chadima - 0.5.0-1 +- bounce versionn to 0.5.0 (#709785) +- the support for protocol v1 is disabled + +* Tue Feb 08 2011 Fedora Release Engineering - 0.4.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 19 2011 Jan F. Chadima - 0.4.8-1 +- bounce versionn to 0.4.8 (#670456) + +* Mon Sep 6 2010 Jan F. Chadima - 0.4.6-1 +- bounce versionn to 0.4.6 (#630602) + +* Thu Jun 3 2010 Jan F. Chadima - 0.4.4-1 +- bounce versionn to 0.4.4 (#598592) + +* Wed May 19 2010 Jan F. Chadima - 0.4.3-1 +- bounce versionn to 0.4.3 (#593288) + +* Tue Mar 16 2010 Jan F. Chadima - 0.4.2-1 +- bounce versionn to 0.4.2 (#573972) + +* Tue Feb 16 2010 Jan F. Chadima - 0.4.1-1 +- bounce versionn to 0.4.1 (#565870) + +* Fri Dec 11 2009 Jan F. Chadima - 0.4.0-1 +- bounce versionn to 0.4.0 (#541010) + +* Thu Nov 26 2009 Jan F. Chadima - 0.3.92-2 +- typo in spec file + +* Thu Nov 26 2009 Jan F. Chadima - 0.3.92-1 +- bounce versionn to 0.3.92 (0.4 beta2) (#541010) + +* Fri Aug 21 2009 Tomas Mraz - 0.2-4 +- rebuilt with new openssl + +* Sat Jul 25 2009 Fedora Release Engineering - 0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jun 02 2009 Jan F. Chadima - 0.2-2 +- Small changes during review + +* Mon Jun 01 2009 Jan F. Chadima - 0.2-1 +- Initial build +